brakeman-lib 7.1.0 → 7.1.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: c2279f2b84d3be0e168b6b16e59855f5507c0514df39c4fb4b63d76721b7e87d
-  data.tar.gz: 37751126761102664819b8779940ecbc2097caec46176f4fc8d3b0f740585579
+  metadata.gz: 7ea221a705906bc411f454313acfcdf88cca8b45c9fbfc31fa4f3ccf29b0e2f5
+  data.tar.gz: 3aa55c53e8da987ae87ada8a3b82a763a38a9926a37c62aa1ab097878abb86b6
 SHA512:
-  metadata.gz: 2c8a2bf6f2f3c2ee11419def7e7e91a4942cf337504db7a6e54c66f7b6a645cef31ac86de9580f78bdfe0ca66d08387d4125d36f106ac63354423e3973917deb
-  data.tar.gz: b77e61957f321cdbdf33a41b057779c5b5f60a41512d538737a8aa0e57e6c6fc13cf9213cc710995ff55de04a57c1640492108529fda616553c6fb7ba5cd81d7
+  metadata.gz: 0ff5ade2e856bcb0e0c94ac76e8ab730b794e44cd8ab887d0c0687c562da8eb9ebd9429a0178c93cc0239a81f0d9621d05db2189b1ae9e28580a4d811888e7f3
+  data.tar.gz: 708dfa80c235e15e1c9c448064ba7e072846e72f7f5aa8a838dd63fb81e727ee809824629626d35199dd034219e4f606e24dbe05651ef1f3dc923dfb604e86e9

data/CHANGES.md

@@ -1,3 +1,24 @@
+# 7.1.2 - 2025-12-25
+
+* Update `ruby_parser` to remove version restriction (Chedli Bourguiba)
+* Raise minimum required Ruby to 3.2.0
+* Use Minitest 6.0
+* Reduce SQL injection false positives from `count` calls
+* Ignore more Haml attribute builder methods
+
+# 7.1.1 - 2025-11-03
+
+* Fix false positive when calling `with_content` on ViewComponents (Peer Allan)
+* Word wrap text output in pager
+* Consider Tempfile.create.path as safe input (Ali Ismayilov)
+* Exclude directories before searching for files
+* Check each side of `or` SQL arguments
+* Ignore attribute builder in Haml 6
+* Add `FilePath#to_path` for Ruby 3.5 compatibility (S-H-GAMELINKS)
+* Fix SQL injection check for calculate method (Rohan Sharma)
+* Fix missing `td` in HTML report (John Hawthorn)
+* Check for unsafe SQL when two arguments are passed to AR methods (Patrick Brinich-Langlois)
+
 # 7.1.0 - 2025-07-18
 
 * Add EOL dates for Rails 8.0 and Ruby 3.4
@@ -7,7 +28,7 @@
 * Improve ignored warnings layout in HTML report (Sebastien Savater)
 * Update JUnit report for CircleCI (Philippe Bernery)
 * Only load escape functionality from cgi library (Earlopain)
-* Add `--ensure-no-obsolete-config-entries` option (viralpraxis)
+* Add `--ensure-no-obsolete-ignore-entries` option (viralpraxis)
 
 # 7.0.2 - 2025-04-04
 

data/README.md

@@ -1,7 +1,7 @@
 [![Brakeman Logo](http://brakemanscanner.org/images/logo_medium.png)](http://brakemanscanner.org/)
 
 [![Build Status](https://circleci.com/gh/presidentbeef/brakeman.svg?style=svg)](https://circleci.com/gh/presidentbeef/brakeman)
-[![Test Coverage](https://api.codeclimate.com/v1/badges/1b08a5c74695cb0d11ec/test_coverage)](https://codeclimate.com/github/presidentbeef/brakeman/test_coverage)
+[![Code Coverage](https://qlty.sh/gh/presidentbeef/projects/brakeman/coverage.svg)](https://qlty.sh/gh/presidentbeef/projects/brakeman)
 
 # Brakeman
 
@@ -65,7 +65,7 @@ Outside of Rails root (note that the output file is relative to path/to/rails/ap
 
 Brakeman should work with any version of Rails from 2.3.x to 8.x.
 
-Brakeman can analyze code written with Ruby 2.0 syntax and newer, but requires at least Ruby 3.0.0 to run.
+Brakeman can analyze code written with Ruby 2.0 syntax and newer, but requires at least Ruby 3.2.0 to run.
 
 # Basic Options
 
@@ -75,7 +75,7 @@ To specify an output file for the results:
 
     brakeman -o output_file
 
-The output format is determined by the file extension or by using the `-f` option. Current options are: `text`, `html`, `tabs`, `json`, `junit`, `markdown`, `csv`, `codeclimate`, and `sonar`.
+The output format is determined by the file extension or by using the `-f` option. Current options are: `text`, `html`, `tabs`, `json`, `junit`, `markdown`, `csv`, `codeclimate`, `github` and `sonar`.
 
 Multiple output files can be specified:
 

data/lib/brakeman/app_tree.rb

@@ -33,6 +33,7 @@ module Brakeman
     #   * "path1/" - Matches any path that contains "path1" in the project directory.
     #   * "/path1/ - Matches any path that is rooted at "path1" in the project directory.
     #
+    # TODO: This is wacky and I don't like it.
     def self.regex_for_paths(paths)
       path_regexes = paths.map do |f|
         # If path ends in a file separator then we assume it is a path rather
@@ -192,7 +193,12 @@ module Brakeman
         files = patterns.flat_map { |pattern| Dir.glob(pattern) }
         files.uniq.lazy
       else
-        pattern = "#{root_search_pattern}#{directory}/**/#{name}#{extensions}"
+        if directory == '.'
+          pattern = File.join(top_directories_pattern, '**', "#{name}#{extensions}")
+        else
+          pattern = "#{root_search_pattern}#{directory}/**/#{name}#{extensions}"
+        end
+
         Dir.glob(pattern).lazy
       end
     end
@@ -257,18 +263,47 @@ module Brakeman
     end
 
     def match_path files, path
+      # TODO: Converting to Pathnames and Strings seems like a lot
+      # of converting that could perhaps all be handled in Brakeman::FilePath
+      # instead?
       absolute_path = Pathname.new(path)
+
       # relative root never has a leading separator. But, we use a leading
       # separator in a @skip_files entry to imply that a directory is
       # "absolute" with respect to the project directory.
-      project_relative_path = File.join(
-        File::SEPARATOR,
-        absolute_path.relative_path_from(@project_root_path).to_s
-      )
+      #
+      # Also directories need a trailing separator.
+      project_relative_path = if File.directory?(path)
+        File.join(
+          File::SEPARATOR,
+          absolute_path.relative_path_from(@project_root_path).to_s,
+          File::SEPARATOR
+        )
+      else
+        File.join(
+          File::SEPARATOR,
+          absolute_path.relative_path_from(@project_root_path).to_s
+        )
+      end
 
       files.match(project_relative_path)
     end
 
+    def top_directories_pattern
+      top_dirs = convert_to_file_paths(Dir.glob(File.join(root_search_pattern, '*/')))
+      top_dirs.reject! { |d| File.symlink?(d) or !File.directory?(d) }
+      top_dirs = reject_global_excludes(top_dirs)
+      top_dirs = reject_skipped_files(top_dirs)
+
+      if top_dirs.empty?
+        # Fall back to searching everything, otherwise the empty pattern
+        # will start searching from the global root
+        root_search_pattern
+      else
+        "{#{top_dirs.join(',')}}"
+      end
+    end
+
     def root_search_pattern
       return @root_search_pattern if @root_search_pattern
       @root_search_pattern = search_pattern(@root)

data/lib/brakeman/checks/base_check.rb

@@ -151,10 +151,13 @@ class Brakeman::BaseCheck < Brakeman::SexpProcessor
     method[-1] == "?"
   end
 
-  TEMP_FILE_PATH = s(:call, s(:call, s(:const, :Tempfile), :new), :path).freeze
+  TEMP_FILE_PATH = [
+    s(:call, s(:call, s(:const, :Tempfile), :new), :path).freeze,
+    s(:call, s(:call, s(:const, :Tempfile), :create), :path).freeze
+  ].freeze
 
   def temp_file_path? exp
-    exp == TEMP_FILE_PATH
+    TEMP_FILE_PATH.include? exp
   end
 
   #Report a warning

data/lib/brakeman/checks/check_render.rb

@@ -101,6 +101,11 @@ class Brakeman::CheckRender < Brakeman::BaseCheck
   def renderable? exp
     return false unless call?(exp) and constant?(exp.target)
 
+    if exp.method == :with_content
+      exp = exp.target
+    end
+
+    return false unless constant?(exp.target)
     target_class_name = class_name(exp.target)
     known_renderable_class?(target_class_name) or tracker.find_method(:render_in, target_class_name)
   end

data/lib/brakeman/checks/check_sql.rb

@@ -188,14 +188,20 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
                       when :find_by_sql, :count_by_sql
                         check_by_sql_arguments call.first_arg
                       when :calculate
-                        check_find_arguments call.third_arg
+                        if call.num_args > 2
+                          unsafe_sql?(call.second_arg) or check_find_arguments(call.third_arg)
+                        elsif call.num_args > 1
+                          unsafe_sql?(call.second_arg)
+                        end
                       when :last, :first, :all
                         check_find_arguments call.first_arg
                       when :average, :count, :maximum, :minimum, :sum
-                        if call.length > 5
-                          unsafe_sql?(call.first_arg) or check_find_arguments(call.last_arg)
+                        if call.num_args > 1
+                          if version_between?("0.0.0", "4.9.9") # In Rails 5+ these do not accept multiple arguments
+                            check_find_arguments(call.first_arg) or check_find_arguments(call.second_arg)
+                          end
                         else
-                          check_find_arguments call.last_arg
+                          check_find_arguments call.first_arg
                         end
                       when :where, :rewhere, :having, :find_by, :find_by!, :find_or_create_by, :find_or_create_by!, :find_or_initialize_by,:not, :delete_by, :destroy_by
                         check_query_arguments call.arglist
@@ -315,6 +321,9 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
       check_hash_keys arg
     elsif node_type? arg, :lit, :str
       nil
+    elsif node_type? arg, :or
+      check_query_arguments(arg.lhs) or
+        check_query_arguments(arg.rhs)
     else
       #Hashes are safe...but we check above for hash, so...?
       unsafe_sql? arg, :ignore_hash

data/lib/brakeman/file_path.rb

@@ -68,6 +68,10 @@ module Brakeman
       self.absolute
     end
 
+    # Required for Pathname compatibility.
+    # Ruby 3.5+ requires Pathname#initialize to receive a String or an object with to_path method.
+    alias to_path to_str
+
     # Returns a string with the absolute path.
     def to_s
       self.to_str

data/lib/brakeman/processors/alias_processor.rb

@@ -436,6 +436,12 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
       exp.method == :open
   end
 
+  def temp_file_create? exp
+    call? exp and
+      exp.target == TEMP_FILE_CLASS and
+      exp.method == :create
+  end
+
   def temp_file_new line
     s(:call, TEMP_FILE_CLASS, :new).line(line)
   end
@@ -465,6 +471,9 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
       elsif temp_file_open? call
         local = Sexp.new(:lvar, block_args.last)
         env.current[local] = temp_file_new(exp.line)
+      elsif temp_file_create? call
+        local = Sexp.new(:lvar, block_args.last)
+        env.current[local] = temp_file_new(exp.line)
       else
         block_args.each do |e|
           #Force block arg(s) to be local

data/lib/brakeman/processors/haml_template_processor.rb

@@ -166,7 +166,16 @@ class Brakeman::HamlTemplateProcessor < Brakeman::TemplateProcessor
   def haml_attribute_builder? exp
     call? exp and
       exp.target == ATTRIBUTE_BUILDER and
-      exp.method == :build
+      escaped_builder_method? exp
+  end
+
+  def escaped_builder_method? exp
+    case exp.method
+    when :build, :build_aria, :build_boolean, :build_data, :build_id, :escape_html
+      true? exp.first_arg
+    else
+      false
+    end
   end
 
   def fix_textareas? exp

data/lib/brakeman/processors/lib/rails2_config_processor.rb

@@ -51,7 +51,7 @@ class Brakeman::Rails2ConfigProcessor < Brakeman::BasicProcessor
     if exp.target == RAILS_CONFIG
       #Get rid of '=' at end
       attribute = exp.method.to_s[0..-2].to_sym
-      if exp.args.length > 1
+      if exp.num_args > 1
         #Multiple arguments?...not sure if this will ever happen
         @tracker.config.rails[attribute] = exp.args
       else

data/lib/brakeman/processors/lib/rails3_config_processor.rb

@@ -78,7 +78,7 @@ class Brakeman::Rails3ConfigProcessor < Brakeman::BasicProcessor
     if exp.target == RAILS_CONFIG
       #Get rid of '=' at end
       attribute = exp.method.to_s[0..-2].to_sym
-      if exp.args.length > 1
+      if exp.num_args > 1
         #Multiple arguments?...not sure if this will ever happen
         @tracker.config.rails[attribute] = exp.args
       else

data/lib/brakeman/report/pager.rb

@@ -92,7 +92,7 @@ module Brakeman
       if system("which less > /dev/null")
         less_help = `less -?`
 
-        ["-R ", "-F ", "-X "].each do |opt|
+        ["-R ", "-F ", "-X ", " --wordwrap"].each do |opt|
           if less_help.include? opt
             @less_options << opt
           end

data/lib/brakeman/report/templates/header.html.erb

@@ -51,7 +51,7 @@
     <tr>
       <td><%= tracker.app_path %></td>
       <td><%= rails_version %></td>
-      <td><%= brakeman_version %>
+      <td><%= brakeman_version %></td>
       <td>
         <%= tracker.start_time %><br><br>
         <%= tracker.duration %> seconds

data/lib/brakeman/version.rb

@@ -1,3 +1,3 @@
 module Brakeman
-  Version = "7.1.0"
+  Version = "7.1.2"
 end

data/lib/ruby_parser/bm_sexp.rb

@@ -172,6 +172,20 @@ class Sexp
     self[2] = name
   end
 
+  # Number of arguments in a method call.
+  def num_args
+    expect :call, :attrasgn, :safe_call, :safe_attrasgn, :super, :zsuper
+
+    case self.node_type
+    when :call, :attrasgn, :safe_call, :safe_attrasgn
+      self.length - 3
+    when :super
+      self.length - 1
+    when :zsuper
+      0
+    end
+  end
+
   #Sets the arglist in a method call.
   def arglist= exp
     expect :call, :attrasgn, :safe_call, :safe_attrasgn

metadata

@@ -1,17 +1,31 @@
 --- !ruby/object:Gem::Specification
 name: brakeman-lib
 version: !ruby/object:Gem::Version
-  version: 7.1.0
+  version: 7.1.2
 platform: ruby
 authors:
 - Justin Collins
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2025-07-18 00:00:00.000000000 Z
+date: 2025-12-25 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: minitest
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '6.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '6.0'
+- !ruby/object:Gem::Dependency
+  name: minitest-ci
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
@@ -25,7 +39,7 @@ dependencies:
       - !ruby/object:Gem::Version
         version: '0'
 - !ruby/object:Gem::Dependency
-  name: minitest-ci
+  name: minitest-mock
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
@@ -72,14 +86,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 3.20.2
+        version: 3.22.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 3.20.2
+        version: 3.22.0
 - !ruby/object:Gem::Dependency
   name: sexp_processor
   requirement: !ruby/object:Gem::Requirement
@@ -463,7 +477,7 @@ required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
-      version: 2.5.0
+      version: 3.2.0
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="